in reply to DBI and stored procedures
As an end user of database at work, I upload pictures and info to a website for the purpose of sales. Aside from the overall truly awful cms I am forced to endure/use, I am numerous times faced with redirect clauses in WHEREs crashes and the like on a frequent basis. It is stupendously annoying. Not to mention inefficient.
But this is beside the point. It is reasonably straightforward to untaint data, prior to checking for SQL type compatibility.
my $inputstring =~ s/^(\w+)$//;
my $username = $1;
(\w+) checks string for letters and underscore [0-9A-Za-z_] and stores the match in $1. The ^ and $ characters anchor the match to be from the begininng to the end of the string only, so no non-printable characters before or after. You may need to chomp the '\n' before putting through substition.
See perlsec for more info on Taint and laundering data, and perlrequick for an intro to regexes